Creating and Committing a Security ACL

Configuring and Managing Security ACLs 353

Security ACL Filters

A security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authen- ticated users, ports, VLANs, virtual ports, or Distributed APs. You can also assign a class-of-service (CoS) level that marks the packets matching the filter for priority handling.

A security ACL contains an ordered list of rules called access control entries (ACEs), which specify how to handle packets. An ACE contains an action that can deny the traffic, permit the traffic, or permit the traffic and apply to it a specific CoS level of packet handling. The filter can include source and destination IP address information along with other Layer 3 and Layer 4 parameters. Action is taken only if the packet matches the filter.

The order in which ACEs are listed in an ACL is important. WSS Software applies ACEs that are higher in the list before ACEs lower in the list. (See “Modifying a Security ACL” on page 369.) An implicit “deny all” rule is always processed as the last ACE of an ACL. If a packet matches no ACE in the entire mapped ACL, the packet is rejected. If the ACL does not contain at least one ACE that permits access, no traffic is allowed.

Plan your security ACL maps to ports, VLANs, virtual ports, and Distributed APs so that only one security ACL filters a given flow of packets. If more than one security ACL filters the same traffic, WSS Software applies only the first ACL match and ignores any other matches. Security ACLs that are mapped to users have precedence over ACLs mapped to ports, VLANs, virtual ports, or Distributed APs.

You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on packets with a multicast or broadcast destination address.